squid配置透明代理並支持Https及http、https攔截

1、開啓路由轉發

echo "1" > /proc/sys/net/ipv4/ip_forward

2、iptables配置

iptables -t nat -I PREROUTING -i ens160 -s 10.10.40.0/24 -p tcp --dport 80 -j REDIRECT --to 3128

iptables -t nat -I PREROUTING -i ens160 -s 10.10.40.0/24 -p tcp --dport 443 -j REDIRECT --to 3129

 

3、/usr/lib64/squid/ssl_crtd -c -s /var/lib/ssl_db

chown squid:squid /var/lib/ssl_db

 

4、openssl genrsa -out example.com.private 2048

5、openssl req -new -key example.com.private -out example.com.csr 

 

Country Name (2 letter code) [XX]:US  

State or Province Name (full name) []:Illinois  

Locality Name (eg, city) [Default City]:Chicago  

Organization Name (eg, company) [Default Company Ltd]:Example Company LTD.  

Organizational Unit Name (eg, section) []:Information Technology  

Common Name (eg, your name or your server's hostname) []:Example Company LTD.  

Email Address []:  

Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:  

An optional company name []:Example Company LTD.  

 

6、openssl x509 -req -days 3652 -in example.com.csr -signkey example.com.private -out example.com.cert  

 

7、squid配置

http_port 0.0.0.0:3128 transparent

https_port 0.0.0.0:3129 ssl-bump cert=/etc/squid/example.com.cert key=/etc/squid/example.com.private generate-host-certificates=on dynamic_cert_mem_cache_size=4MB transparent

acl step1 at_step SslBump1

ssl_bump peek step1

ssl_bump splice all

 

visible_hostname localhost

 

acl SSL_ports port 443

acl Safe_ports port 80          # http

acl Safe_ports port 21          # ftp

acl Safe_ports port 443         # https

acl Safe_ports port 70          # gopher

acl Safe_ports port 210         # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280         # http-mgmt

acl Safe_ports port 488         # gss-http

acl Safe_ports port 591         # filemaker

acl Safe_ports port 777         # multiling http

acl CONNECT method CONNECT

acl deny_https_sites dstdomain "/etc/squid/deny_https_sites" //https禁止配置

acl denysites url_regex -i "/etc/squid/denysites" //http禁止配置

 

sslproxy_cert_error allow all

sslproxy_flags DONT_VERIFY_PEER

sslproxy_version 4

sslproxy_options ALL

 

cache_mgr [email protected]

 

cache_mem 1000 MB

cache_swap_low 90

cache_swap_high 95

 

#maximum_object_size 128 MB

maximum_object_size_in_memory 32 KB

#memory_replacement_policy heap LFUDA

 

#cache_dir aufs /squidcache 8000 16 256

cache_dir ufs /var/spool/squid 100 16 256

 

memory_pools on

memory_pools_limit 256 MB

 

dns_nameservers 114.114.114.114

 

access_log /var/log/squid/access.log squid

refresh_pattern ^ftp:      1440   20%   10080

refresh_pattern ^gopher:   1440   0%   1440

refresh_pattern -i (/cgi-bin/|\?) 0   0%   0

refresh_pattern (Release|Packages(.gz)*)$   0   20%   2880

refresh_pattern .      0   20%   4320 ignore-reload

 

coredump_dir /var/spool/squid

 

#acl all src 0.0.0.0/0

http_access deny CONNECT deny_https_sites

http_access deny denysites